Reload TLS key pair on HUP signal

internal/service/security/tls.go

@@ -38,6 +38,20 @@ func NewKeyPairReloader(certPath, keyPath string) (*KeyPairReloader, error) {
 	return res, nil
 }
 
+// Reload attempts to reload the TLS key pair.
+func (kpr *KeyPairReloader) Reload() error {
+	cert, err := tls.LoadX509KeyPair(kpr.certPath, kpr.keyPath)
+	if err != nil {
+		return err
+	}
+
+	kpr.certMu.Lock()
+	defer kpr.certMu.Unlock()
+
+	kpr.cert = &cert
+	return nil
+}
+
 // GetCertificateFunc provides a function for tls.Config.GetCertificate.
 func (kpr *KeyPairReloader) GetCertificateFunc() func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
 	return func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {

internal/service/service.go

@@ -112,6 +112,11 @@ func (s *Service) SetTLSEnabled() {
 	s.enableTLS = true
 }
 
+// TLSEnabled return true if TLS is enabled for the service.
+func (s *Service) TLSEnabled() bool {
+	return s.enableTLS
+}
+
 // SetTLSKeyPair sets the TLS key pair for the service.
 func (s *Service) SetTLSKeyPair(certPath, keyPath string) error {
 	if certPath == "" {
@@ -132,6 +137,11 @@ func (s *Service) SetTLSKeyPair(certPath, keyPath string) error {
 	return nil
 }
 
+// ReloadTLSKeyPair attempts to reload the configured TLS certificate key pair.
+func (s *Service) ReloadTLSKeyPair() error {
+	return s.kpr.Reload()
+}
+
 // SetTLSMinVersion sets the minimum support TLS version, such as "v1.3".
 func (s *Service) SetTLSMinVersion(ver string) (err error) {
 	s.tlsMinVersion, err = security.GetTLSVersion(ver)